Stored Data Manipulation

let CriticalFileExtensions = dynamic([".sql", ".db", ".sqlite", ".mdb", ".accdb", ".dbf", ".csv", ".xlsx", ".xls", ".docx", ".xml", ".json", ".config", ".conf", ".ini", ".cs", ".py", ".js"]);
let BackupExtensions = dynamic([".bk", ".bak", ".orig", ".backup", ".old", ".tmp"]);
let TrustedDBProcesses = dynamic(["sqlservr.exe", "mysqld.exe", "postgres.exe", "mongod.exe", "oracle.exe", "sqlite3.exe", "MsMpEng.exe", "OneDrive.exe", "OUTLOOK.EXE", "EXCEL.EXE", "WINWORD.EXE"]);
// Detect bulk modification of critical data files OR SUNSPOT-style backup-and-replace pattern
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FileName has_any (CriticalFileExtensions) or FileName has_any (BackupExtensions)
| where not(InitiatingProcessFileName has_any (TrustedDBProcesses))
| extend IsCriticalFile = FileName has_any (CriticalFileExtensions)
| extend IsBackupFile = FileName has_any (BackupExtensions)
| summarize
    TotalUniqueFiles = dcount(FileName),
    CriticalFileCount = countif(IsCriticalFile),
    BackupFileCount = countif(IsBackupFile),
    ModifiedFiles = make_set(FileName, 30),
    UniqueFolders = dcount(FolderPath),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
    by DeviceName, InitiatingProcessFileName, InitiatingProcessAccountName,
       InitiatingProcessCommandLine, InitiatingProcessId, bin(Timestamp, 5m)
| where TotalUniqueFiles >= 5
    or (BackupFileCount >= 1 and CriticalFileCount >= 1)
| extend DetectionReason = case(
    BackupFileCount >= 1 and CriticalFileCount >= 1, "BackupReplacePattern_SUNSPOT_Analog",
    TotalUniqueFiles >= 20, "BulkModification_High",
    TotalUniqueFiles >= 10, "BulkModification_Medium",
    "BulkModification_Low"
)
| extend RiskScore = case(
    DetectionReason == "BackupReplacePattern_SUNSPOT_Analog", 90,
    DetectionReason == "BulkModification_High", 80,
    DetectionReason == "BulkModification_Medium", 60,
    40
)
| project FirstSeen, LastSeen, DeviceName, InitiatingProcessAccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         TotalUniqueFiles, CriticalFileCount, BackupFileCount,
         UniqueFolders, ModifiedFiles, DetectionReason, RiskScore
| sort by RiskScore desc, TotalUniqueFiles desc

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| eval TargetLower=lower(TargetFilename)
| eval IsCritical=if(match(TargetLower, "\.(sql|db|sqlite|mdb|accdb|dbf|csv|xlsx|xls|docx|xml|json|config|conf|ini|cs|py|js)$"), 1, 0)
| eval IsBackup=if(match(TargetLower, "\.(bk|bak|orig|backup|old|tmp)$"), 1, 0)
| eval TrustedProcess=if(match(lower(Image), "(sqlservr|mysqld|postgres|mongod|oracle|sqlite3|msmpeng|onedrive|outlook|excel|winword)\.exe$"), 1, 0)
| where (IsCritical=1 OR IsBackup=1) AND TrustedProcess=0
| bin _time span=5m
| stats
    count as TotalEvents,
    dc(TargetFilename) as UniqueFiles,
    sum(IsCritical) as CriticalFileCount,
    sum(IsBackup) as BackupFileCount,
    values(TargetFilename) as ModifiedFiles,
    dc(TargetFilename) as FolderCount
    by _time, host, Image, User, CommandLine, ProcessId
| where UniqueFiles >= 5 OR (BackupFileCount >= 1 AND CriticalFileCount >= 1)
| eval DetectionReason=case(
    BackupFileCount >= 1 AND CriticalFileCount >= 1, "BackupReplacePattern_SUNSPOT_Analog",
    UniqueFiles >= 20, "BulkModification_High",
    UniqueFiles >= 10, "BulkModification_Medium",
    true(), "BulkModification_Low"
)
| eval RiskScore=case(
    DetectionReason="BackupReplacePattern_SUNSPOT_Analog", 90,
    DetectionReason="BulkModification_High", 80,
    DetectionReason="BulkModification_Medium", 60,
    true(), 40
)
| table _time, host, User, Image, CommandLine, ProcessId, UniqueFiles, CriticalFileCount, BackupFileCount, ModifiedFiles, DetectionReason, RiskScore
| sort - RiskScore UniqueFiles

any where
  (event.category == "file" and event.type == "change" and
   file.extension : ("sql","db","sqlite","mdb","csv","xlsx","xls","docx","xml","json","config","conf") and
   not process.name : ("sqlservr.exe","mysqld","postgres","oracle","mongod","sqlite3",
                        "EXCEL.EXE","WINWORD.EXE","Code.exe","notepad.exe","vim","nano") and
   process.name : ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe",
                    "python*","perl","ruby","bash","sh","certutil.exe","bitsadmin.exe")) or
  (event.category == "process" and event.type == "start" and
   process.name : ("sqlcmd.exe","osql.exe","mysql.exe","psql.exe","sqlite3.exe") and
   process.args : ("*UPDATE*","*DELETE*","*DROP*","*INSERT*","*TRUNCATE*") and
   not process.parent.name : ("sqlservr.exe","mysqld","postgres","DBArtisan*"))

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') as EventTime,
  logsourcename(logsourceid) as LogSource, username as User,
  "TargetFilename" as TargetFile, "Image" as ProcessImage, "CommandLine" as CommandLine,
  CASE WHEN "Image" ILIKE '%cmd.exe%' AND "TargetFilename" ILIKE '%.sql%' THEN 9
       WHEN "Image" ILIKE '%powershell%' AND "TargetFilename" ILIKE '%.db%' THEN 8
       WHEN "Image" ILIKE '%sqlcmd%' AND "CommandLine" ILIKE '%(UPDATE|DELETE|DROP)%' THEN 9
       ELSE 5 END as RiskScore
FROM events
WHERE eventid IN (1, 11, 23)
  AND (
    (eventid IN (11,23) AND
     ("TargetFilename" ILIKE '%.sql%' OR "TargetFilename" ILIKE '%.db%'
      OR "TargetFilename" ILIKE '%.sqlite%' OR "TargetFilename" ILIKE '%.csv%') AND
     LOWER("Image") LIKE ANY ('%cmd.exe%','%powershell%','%wscript%','%python%','%perl%','%certutil%'))
    OR (eventid = 1 AND LOWER("Image") LIKE ANY ('%sqlcmd%','%osql%','%mysql.exe%','%psql%') AND
        ("CommandLine" ILIKE '%UPDATE%' OR "CommandLine" ILIKE '%DELETE%'
         OR "CommandLine" ILIKE '%DROP%' OR "CommandLine" ILIKE '%TRUNCATE%'))
  )
ORDER BY RiskScore DESC, EventTime DESC

_sourceCategory=windows/sysmon OR _sourceCategory=linux/sysmon
| json auto
| where EventID in ("1","11","23")
| eval ImageLower = toLower(coalesce(Image,""))
| eval TargetLower = toLower(coalesce(TargetFilename,""))
| eval CmdLower = toLower(coalesce(CommandLine,""))
| eval is_file_mod = if(EventID in ("11","23") AND
    TargetLower matches ".*(\.(sql|db|sqlite|mdb|csv|xlsx|xls|docx|xml|json|config|conf))$" AND
    ImageLower matches ".*(cmd|powershell|pwsh|wscript|cscript|python|perl|ruby|certutil|bitsadmin).*", 1, 0)
| eval is_sql_exec = if(EventID == "1" AND
    ImageLower matches ".*(sqlcmd|osql|mysql|psql|sqlite3)\..*$" AND
    CmdLower matches ".*(update|delete|drop|truncate|insert).*", 1, 0)
| where is_file_mod == 1 OR is_sql_exec == 1
| table _time, Computer, User, Image, CommandLine, TargetFilename, ParentImage
| sort by _time desc

rule stored_data_manipulation {
  meta:
    author = "Detection Engineering"
    description = "Detects unauthorized stored data manipulation (T1565.001)"
    severity = "HIGH"
    tactic = "TA0040"

  events:
    $e.metadata.event_type = "FILE_MODIFICATION"
    re.regex($e.target.file.full_path, `(?i)\.(sql|db|sqlite|mdb|csv|xlsx|json|config|conf)$`) nocase
    re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell|wscript|cscript|python|perl|certutil|bitsadmin)`) nocase

  condition:
    $e
}

#event_simpleName = "ProcessRollup2"
| (ImageFileName = /(cmd|powershell|pwsh|wscript|cscript|python|perl|ruby|certutil)\.exe$/i
   AND TargetFileName = /\.(sql|db|sqlite|mdb|csv|xlsx|json|config|conf)$/i)
  OR (ImageFileName = /(sqlcmd|osql|mysql|psql|sqlite3)\.exe$/i
      AND CommandLine = /(UPDATE|DELETE|DROP|TRUNCATE|INSERT)/i)
| eval detection_type = case {
    ImageFileName = /(sqlcmd|osql|mysql|psql|sqlite3)\.exe$/i : "SQL_DML_Execution";
    * : "Data_File_Modified"
  }
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, TargetFileName, detection_type
| sort by timestamp desc